/cfngoat

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Cfngoat - Vulnerable Cloudformation Template

Maintained by Bridgecrew.io Infrastructure Tests CIS AWS PCI-DSS SOC2 ISO NIST-800-53 slack-community

Cfngoat is one of Bridgecrew's "Vulnerable by Design" Infrastructure as Code repositories, a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Cfngoat

It's an ideal companion to testing build time Infrastructure as Code scanning tools, such as Bridgecrew & Checkov

Table of Contents

Introduction

Cfngoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.

Cfngoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Installation

aws cloudformation create-stack --stack-name cfngoat --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 --capabilities CAPABILITY_NAMED_IAM

Expect provisioning to take at least 5 minutes.

Multiple stacks can be deployed simultaniously by changing the --stack-name and adding an Environment parameter:

aws cloudformation create-stack --stack-name cfngoat2 --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 ParameterKey=Environment,ParameterValue=dev2 --capabilities CAPABILITY_NAMED_IAM

Important notes

Before you proceed please take a not of these warning:

⚠️ Cfngoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy Cfngoat in a production environment or alongside any sensitive AWS resources.

Requirements

  • aws cli

Bridgecrew's IaC herd of goats

  • CfnGoat - Vulnerable by design Cloudformation template
  • TerraGoat - Vulnerable by design Terraform stack
  • CDKGoat - Vulnerable by design CDK application

Contributing

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Support

Bridgecrew builds and maintains Cfngoat to encourage the adoption of policy-as-code.

If you need direct support you can contact us at info@bridgecrew.io.

Existing vulnerabilities (Auto-Generated)

check_id file resource check_name guideline
0 CKV_AWS_46 /cfngoat.yaml AWS::EC2::Instance.EC2Instance Ensure no hard-coded secrets exist in EC2 user data https://docs.bridgecrew.io/docs/bc_aws_secrets_1
1 CKV_AWS_3 /cfngoat.yaml AWS::EC2::Volume.WebHostStorage Ensure all data stored in the EBS is securely encrypted https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume
2 CKV_AWS_24 /cfngoat.yaml AWS::EC2::SecurityGroup.WebNodeSG Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 https://docs.bridgecrew.io/docs/networking_1-port-security
3 CKV_AWS_23 /cfngoat.yaml AWS::EC2::SecurityGroup.WebNodeSG Ensure every security groups rule has a description https://docs.bridgecrew.io/docs/networking_31
4 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
5 CKV_AWS_21 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure the S3 bucket has versioning enabled https://docs.bridgecrew.io/docs/s3_16-enable-versioning
6 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
7 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
8 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
9 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
10 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
11 CKV_AWS_107 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow credentials exposure https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure
12 CKV_AWS_111 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow write access without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
13 CKV_AWS_108 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow data exfiltration https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration
14 CKV_AWS_109 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow permissions management without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
15 CKV_AWS_40 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1
16 CKV_AWS_110 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow privilege escalation https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation
17 CKV_AWS_7 /cfngoat.yaml AWS::KMS::Key.LogsKey Ensure rotation for customer created CMKs is enabled https://docs.bridgecrew.io/docs/logging_8
18 CKV_AWS_16 /cfngoat.yaml AWS::RDS::DBInstance.DefaultDB Ensure all data stored in the RDS is securely encrypted at rest https://docs.bridgecrew.io/docs/general_4
19 CKV_AWS_157 /cfngoat.yaml AWS::RDS::DBInstance.DefaultDB Ensure that RDS instances have Multi-AZ enabled https://docs.bridgecrew.io/docs/general_73
20 CKV_AWS_17 /cfngoat.yaml AWS::RDS::DBInstance.DefaultDB Ensure all data stored in RDS is not publicly accessible https://docs.bridgecrew.io/docs/public_2
21 CKV_AWS_23 /cfngoat.yaml AWS::EC2::SecurityGroup.DefaultSG Ensure every security groups rule has a description https://docs.bridgecrew.io/docs/networking_31
22 CKV_AWS_107 /cfngoat.yaml AWS::IAM::Policy.EC2Policy Ensure IAM policies does not allow credentials exposure https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure
23 CKV_AWS_111 /cfngoat.yaml AWS::IAM::Policy.EC2Policy Ensure IAM policies does not allow write access without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
24 CKV_AWS_108 /cfngoat.yaml AWS::IAM::Policy.EC2Policy Ensure IAM policies does not allow data exfiltration https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration
25 CKV_AWS_109 /cfngoat.yaml AWS::IAM::Policy.EC2Policy Ensure IAM policies does not allow permissions management without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
26 CKV_AWS_116 /cfngoat.yaml AWS::Lambda::Function.AnalysisLambda Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
27 CKV_AWS_173 /cfngoat.yaml AWS::Lambda::Function.AnalysisLambda Check encryption settings for Lambda environmental variable https://docs.bridgecrew.io/docs/bc_aws_serverless_5
28 CKV_AWS_45 /cfngoat.yaml AWS::Lambda::Function.AnalysisLambda Ensure no hard-coded secrets exist in lambda environment https://docs.bridgecrew.io/docs/bc_aws_secrets_3
29 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
30 CKV_AWS_20 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure the S3 bucket does not allow READ permissions to everyone https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone
31 CKV_AWS_21 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure the S3 bucket has versioning enabled https://docs.bridgecrew.io/docs/s3_16-enable-versioning
32 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
33 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
34 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
35 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
36 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
37 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
38 CKV_AWS_21 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure the S3 bucket has versioning enabled https://docs.bridgecrew.io/docs/s3_16-enable-versioning
39 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
40 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
41 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
42 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
43 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
44 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
45 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
46 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
47 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
48 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
49 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
50 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
51 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
52 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
53 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
54 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
55 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
56 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
57 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
58 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
59 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
60 CKV_AWS_111 /cfngoat.yaml AWS::IAM::Role.CleanupRole Ensure IAM policies does not allow write access without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
61 CKV_AWS_108 /cfngoat.yaml AWS::IAM::Role.CleanupRole Ensure IAM policies does not allow data exfiltration https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration
62 CKV_AWS_116 /cfngoat.yaml AWS::Lambda::Function.CleanBucketFunction Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
63 CKV_AWS_58 /eks.yaml AWS::EKS::Cluster.EKSCluster Ensure EKS Cluster has Secrets Encryption Enabled https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3

check_id file resource check_name guideline
0 CKV_SECRET_2 /cfngoat.yaml 25910f981e85ca04baf359199dd0bd4a3ae738b6 AWS Access Key https://docs.bridgecrew.io/docs/git_secrets_2
1 CKV_SECRET_6 /cfngoat.yaml d70eab08607a4d05faa2d0d6647206599e9abc65 Base64 High Entropy String https://docs.bridgecrew.io/docs/git_secrets_6